Compliant Product - Trustwave AppDetectivePRO version 10.2
Certificate Date:
2023.09.20
CC Certificate
Security Target
Validation Report
Validation Report Number: CCEVS-VR-VID11306-2023 Product Type: Application Software Conformance Claim: Protection Profile Compliant PP Identifier: Protection Profile for Application Software Version 1.4 CC Testing Lab: Acumen Security Assurance Activity Administrative Guide
Product Description
AppDetectivePRO (also referred to as ADP) is application software that performs scanning of databases as configured by authorized users. Authorized administrators configure the list of Windows users that may use the ADP application. Authorized users then configure databases (assets) to be scanned, associate policies applicable to each database, and review the results of the scans. All interactions of administrators and users with the TOE is via a GUI provided by the ADP application. The TOE performs automated scanning of the configured databases hosted on the same Microsoft Windows 10 instance. The scanning functionality is referred to as the Scan Engine.
Evaluated Configuration
Security Evaluation Summary
The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the Evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017. The product, when delivered and configured as identified in the Trustwave AppDetectivePRO v10.2 User Guide, July 2021 document, satisfies all of the security functional requirements stated in the AppDetectivePRO v10.2 Security Target, Version 1.9, September 20, 2023. The project underwent CCEVS Validator review. The evaluation was completed in September 2023. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11306-2023) prepared by CCEVS.
Environmental Strengths
The TOE provides the security functionality required by [SWAPP]. 3.1 Cryptographic SupportThe TOE does not generate keys, use a DRBG or store credentials. 3.2 User Data ProtectionThe TOE ensures that all sensitive application data is encrypted and protected. The TOE does not maintain sensitive information repositories and it restricts its access only to network connectivity. The TOE restricts inbound and outbound network communications only to user-initiated network communication for scanning configured databases. 3.3 Security ManagementThe TOE does not come with any default credentials. The user installing the TOE is automatically configured as an authorized Administrator. Administrators may authorize additional users to execute the ADP application. Authorized users may use the ADP application to manage Assets and Policies and execute scans. Scan results may also be viewed. 3.4 PrivacyThe TOE itself does not contain or transmit any PII. 3.5 Protection of the TSFThe TOE employs several mechanisms to ensure that it is secure on the host platform. Only documented platform APIs are used by the TOE. The TOE never allocates memory with both write and execute permission. Evaluated platform functionality is used to verify the TOE version and perform updates. 3.6 Trusted Path/ChannelsThe TOE does not transmit sensitive data. Vendor InformationTrustwave Holdings Inc Anirban Chowdhuri 312-873-7500 N/A achowdhuri@trustwave.com www.trustwave.com |